Calibrated to GCC central bank frameworks · CBUAE · SAMA · CBB · QCB · CBK · CBO

Articles + field notes.

Observations from real engagements with GCC banks, NBFCs, fintechs and insurers. Substance — not industry commentary.

Browse articles24pieces
Regulatory Inspection

Regulatory inspection readiness — continuous posture, not crisis preparation

When an inspection is announced, many teams shift to crisis mode. The supervisory signal this sends is unfavourable: a mature framework is inspection-ready continuously, not on announcement. This article addresses the gap between the two states and the investments that close it.

Read article
Internal Controls

Internal controls at scale — the case against manual proliferation

As institutions grow, manual controls multiply without matching risk reduction. The CBUAE three-lines framework requires effective controls, not numerous ones. The discipline of distinguishing risk-reducing controls from procedural overhead is the harder governance investment.

Read article
Operational Risk

Operational risk in a digital-first environment — what legacy frameworks miss

Operational risk frameworks built for branch-era banking don't map to cloud-hosted, API-integrated services. The CBUAE Operational Risk Standards require all categories to be managed — including technology concentration, vendor dependency, and API integrity.

Read article
Model Risk Management

Model risk management as a continuous discipline — beyond the validation cycle

Many institutions treat MRM as a series of validation events. Between cycles, models operate without governance oversight. The CBUAE MMS requires something different: a lifecycle framework with continuous monitoring, tiered governance, and clear ownership throughout.

Read article
AI Model Validation

Validating AI and machine learning models under CBUAE MMS — the explainability obligation

ML-based credit scoring carries real model risk. Under CBUAE MMS, algorithmic models require independent validation — but limited interpretability, feature drift, and vendor opacity make that validation materially harder than for traditional scorecards.

Read article
Stress Testing

Stress testing and capital planning — closing the institutional silo

In many banks, stress testing lives in risk and capital planning lives in finance. The CBUAE ICAAP framework is explicit: stress test outcomes must directly shape capital planning, not sit beside it as a separate regulatory deliverable.

Read article
Corporate Restructuring

Corporate restructuring and remediation — beyond the tenor extension

When a corporate exposure enters distress, the reflex is tenor extension. The deeper question — whether the restructuring is sustainable or merely defers a credit event — is one IFRS 9, audit, and supervisory dialogue increasingly press hard.

Read article
Commercial Real Estate

Commercial real estate concentrations — the supervisory question beneath the LTV

LTV at origination addresses one dimension of CRE risk. Sector concentration, master-developer dependency, and rental-yield sensitivity address several others. The frameworks that survive supervisory dialogue have moved well beyond origination-time metrics.

Read article
Portfolio Management

Portfolio de-risking in shifting credit cycles — beyond the rear-view mirror

Conventional credit metrics are backward-looking by design. Effective de-risking requires acting on leading indicators of cycle shift, recalibrating limits dynamically, and tightening origination at segment level before realised losses arrive.

Read article
SME Credit

SME early warning indicators — the move from past-due to behavioural

Days-past-due is lagging by definition. By the time it triggers, deterioration has typically been visible in transactional data for weeks or months. BCBS 2025 credit risk principles reinforce the supervisory expectation that EWI frameworks incorporate behavioural indicators.

Read article
Risk Appetite

The risk appetite statement as a living document — beyond the board binder

The CBUAE Risk Management Regulation requires a board-approved RAS with limits for all material risk categories. The FSB 2013 Principles set the international baseline. Supervisors increasingly test the gap between stated appetite and how it actually constrains daily decisions.

Read article
Reverse Stress Testing

Reverse stress testing — the question conventional stress tests don't ask

Conventional stress tests measure capital impact of assumed shocks. Reverse stress tests start from a defined failure outcome and work backward. CBUAE Pillar 2 §122 mandates the exercise annually. Where it tends to produce insight and where it becomes a documentation deliverable.

Read article
ICoFR

ICoFR as continuous discipline — beyond the annual testing cycle

ICoFR was conceived under COSO as a continuous discipline. In practice, in many institutions it has become a sequence of annual testing exercises around year-end. The substantive difference between continuous and periodic ICoFR, and where the largest control gaps tend to cluster.

Read article
Credit Risk

Credit underwriting at the growth-quality frontier

Loan growth and asset quality are not in fundamental tension. What is in tension is growth velocity and origination discipline. What data-driven underwriting looks like in practice, how early warning systems should connect to IFRS 9 staging, and where the binding constraint sits.

Read article
Risk Governance

When risk policies stop protecting — the case for periodic deep refresh

Risk policies not substantively updated since before the pandemic are common and increasingly a supervisory concern. Risk vectors have evolved materially. The policies governing them often have not. What a serious refresh covers, and where the gap sits in practice.

Read article
FinTech

Risk policies for fintechs — between the framework of a bank and the speed of a product

Fintechs in DIFC and ADGM face a structural tension. Copying a bank's risk policies will paralyse the business. Ignoring regulatory frameworks won't survive supervisory dialogue. What right-sized risk governance actually looks like for fintechs and NBFCs at scale.

Read article
CBUAE MMS

Data quality under CBUAE MMS — the six dimensions that get tested in supervision

Under CBUAE MMS, the defensibility of any risk model depends on the data feeding it. The standard specifies six data quality dimensions and requires the data management function to be functionally separate from operational risk data. Where the largest gaps usually sit.

Read article
CBUAE MMS

CBUAE Model Management Standards — the structural shifts that get under-appreciated

The CBUAE Model Management Standards, in force since late 2022, reshaped how UAE banks govern quantitative models. Most requirements are tractable. A small number of structural shifts — governance separation, third-party dependency, data ownership — is where the work sits.

Read article
Model Validation

Model drift and the case for independent validation

Models degrade as portfolios evolve, macro relationships weaken, and policy changes accumulate. A model defensible two years ago can become indefensible without code changing. What drift looks like, why developer-led monitoring misses it, and what independent validation covers.

Read article
Stress Testing

Stress testing severity — when historical scenarios stop being enough

Stress scenarios most GCC institutions use were calibrated against historical episodes that no longer represent current exposure. What severity now means in supervision, where the gap shows in liquidity, and how to design scenarios that hold up to board scrutiny.

Read article
ICAAP

ICAAP as strategic instrument — not as annual paperwork

ICAAP is, in most institutions, treated as a regulatory deliverable. The Pillar 2 standard was designed for something else. What ICAAP was meant to do, what supervisors increasingly expect, and where compliance ICAAP falls short of strategic ICAAP in practice.

Read article
IFRS 9

Beyond oil — calibrating forward-looking IFRS 9 scenarios for the GCC

Generic global scenarios were never right for GCC ECL models, yet remain in production at many institutions. What IFRS 9 requires for forward-looking calibration, why off-the-shelf scenarios understate regional cyclicality, and what defends in supervisory review.

Read article
IFRS 9

Beyond the black box — what IFRS 9 ECL transparency actually requires

Nearly a decade into IFRS 9 production, early implementations have aged into vendor lock-in. What transparency actually requires under IFRS 9 and CBUAE MMS, where it breaks down, and what an auditable ECL model should let an institution do.

Read article

The IFRS 9 / ICAAP / Stress Testing trinity: how the three actually connect

Many GCC financial institutions run IFRS 9, ICAAP, and stress testing as three separate exercises with three separate teams. The three are mathematically and structurally one framework. Treating them as one is where the real value is

Read article
Articles

Latest writing.

No articles match your search. Try a different keyword.

Don't want to wait?

Have a methodology question now?

Send it directly. We answer technical questions from risk and finance teams even outside engagement scope. No obligation.

Ask a question